Microsoft took a two-year-old contest and turned it on its head to come up with a new reward program that will pay security researchers up to $100,000 for demonstrating novel attack tactics against Windows 8.1.

In a broad announcement Wednesday that also revealed its first-ever bug bounty program, Microsoft spelled out two new projects that will hand cash to security researchers.

One, dubbed "BlueHat Bonus for Defense," a spin-off from a 2011 contest named "BlueHat Prize," will pay researchers as much as $50,000 for fresh defensive security solutions.

The other, called "Mitigation Bypass Bounty," offers up to double that -- top dollar is $100,000 -- for any novel exploitation technique able to circumvent Windows 8.1's many defenses, or as Microsoft pegs them, "mitigations." Windows 8.1, the first major update for Windows 8, will launch as a public preview June 26 -- the same day both new reward programs kick off -- and release in a polished form this fall.

Neither the BlueHat Bonus or the Mitigation Bypass Bounty are true bug bounty programs: They don't pay for previously-unknown bugs in Microsoft's code. Instead, they aim at collecting more sweeping research that Microsoft can use to stymie entire classes of vulnerability exploits.

"Eligible bypass submissions will include an exploit that demonstrates a novel method of exploiting a real Remote Code Execution (RCE) vulnerability and a white paper explaining the exploitation method," Microsoft said in its submission guidelines.

A single -- and previously unknown -- exploit technique that meets Microsoft's criteria could conceivably be used to exploit dozens, even scores, of zero-day vulnerabilities. Exploit techniques from the past, were they not known today, that would be eligible for the $100,000 payout include Return Oriented Programming (ROP) and JIT (Just-in-Time) heap spraying.

ROP was first described in a 2007 paper by Hovav Shacham, now a computer science professor at the University of California, San Diego; the JIT heap spraying technique was publicly revealed by Dionysus Blazakis of security firm FireEye in 2010.

In other words, novel exploitation tactics don't grow on trees.

Calling Windows' defensive mitigations the operating system's "shield," Katie Moussouris, a senior security strategist lead with the company, explained why Microsoft thought it was better to pay for broad-stroke bypasses than for bugs. "If we can get the knowledge [of such exploit techniques] earlier, we can try to block them," she said.

Experts generally applauded the two programs -- in part because of the dollar size of the awards -- but were uncertain how many submissions Microsoft would collect.

"They'll get people doing really cheap labor," said Andrew Storms, the former director of security operations at TripWire's nCircle. "But we don't know how many [submissions] they'll get."

Chris Wysopal, co-founder and CTO of Veracode, a Burlington, Mass. company that develops application security testing and risk management software, predicted that, like 2011's BlueHat Prize, many of the Mitigation Bypass submissions will come from academics.

Two of the top three finalists of the BlueHat Prize, including the first-place winner who took home $200,000, were academic researchers.

"What I like about [the Mitigation Bypass Bounty] is that it has the potential to help other software," said Wysopal. "This type of program certainly helps [Microsoft] but they've had an ecosystem-wide approach," he added, referring to the company's multiple attempts to assist other Windows developers secure their products. "I would hope that they would share any information to help other vendors write to the Windows platform."

Wysopal wondered, however, if the $100,000 was enough.

"If someone tried selling [a novel exploit technique], they could make a lot more money than that," Wysopal said. "On the other hand, it's more work to create all those individual zero-day exploits, then market them. So some people will go for [Microsoft's reward]."

But because Microsoft expects winning bypass submissions to also include an accompanying entry for the $50,000 BlueHat Bonus, the total may be closer to $150,000. "In practical terms, [BlueHat Bonus] ideas will come from the same researcher who submitted a Mitigation Bypass," said Moussouris.

Storms expected that Microsoft would integrate the results of both award programs into future versions of Windows, or at the least, incorporate some of the defensive techniques it receives into EMET (Enhanced Mitigation Experience Toolkit), as it did with at least one of the BlueHat Prize finalists' technology.

"I think [Mitigation Bypass] may have been spurred by Pwn2Own at CanSecWest this year," Storms added, talking about the March hacking contest where Microsoft's Internet Explorer was exploited by a team from the French vulnerability broker Vupen. "The tools used by Vupen to bypass [Windows' and] IE's mitigations were novel, and there was talk that Vupen handed those tools to Microsoft. But if they did, it meant [Vupen] had something much better."

Knowing that, Storms speculated, got Microsoft thinking about how to shake loose exploit techniques it had not yet heard of or seen used in the wild. "I think they said, 'There's a lot we don't know, but let's see if we can nip [new techniques] now instead of hackers using them in public exploits.'"

The BlueHat Bonus and Mitigation Bypass Bounty programs are open-ended, but apply only to Windows 8.1. Microsoft has published submission guidelines on its website, as well as an FAQ on the rewards.

Slideshows

ARN Connect - How can partners create customer value through cloud and security?

This exclusive ARN Connect event, in association with Juniper Networks and Westcon-Comstor, deep dived into the key customer priorities during the next 12 months, outlining emerging partner opportunities while drawing up a blueprint for cloud and security success.

Selling beyond the CIO – How partners can influence the new breed of tech buyers

This ARN Roundtable, in association with Oracle, highlighted the emergence of a new breed of technology buyer, assessing how partners can engage outside of IT, and the skills required to sell across new business units.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.